Brainscape's Knowledge GenomeTM

Browse over 1 million classes created by top students, professors, publishers, and experts.


See full index

Information Security > L8 - L9 Malicious Software and Firewalls > Flashcards

L8 - L9 Malicious Software and Firewalls Flashcards

1
Q

What is malware?

A

Programs designed to exploit vulnerabilities in computer systems.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Name 4 types of malware that need hosts.

A
  1. Virus
  2. Trapdoor
  3. Trojan Hourses
  4. Logic Bombs
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Name to types of malware that do not need a host.

A
  1. Worm
  2. Zombie
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Name three types of malware that do not replicate.

A
  1. Trapdoors
  2. Logic bombs
  3. Trojan horses
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Name three types of malware that do replicate.

A
  1. Viruses
  2. Worms
  3. Zombies
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

What is a Trap door?

A
  • A secret entry point into a program
  • Sometimes trap doors are added to facilitate programmers to debug and test.
  • Become a threat when used to gain unauthorized access
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

What is a logic bomb?

A

Code embedded in a legitimate program that is triggered when certain conditions are met.

Triggers include
Particular date
Presence of absence of a file
Particular user running a particular program
The code is said to ‘explode’, the damage it causes
include:
Deleting data or files
Causing machine to halt

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

What is a Trojan horse?

A
  • Program that has hidden code which when invoked performs an unwanted of harmful action
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

What is a Zombie?

A
  • Program that takes over another networked computer.
  • Used to launch an attack which is subsequently difficult to trace back to the creator of the zombie.
  • Denial of Service attack, many computers infected by the zombie are used to overwhelm a target website
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

What is a Virus?

A
  • A program that inserts itself into one or more programs bymodifying them.
  • This modification includes a copy of the virus program.
  • This enables the virus to spread
  • The virus is attached to another program and executes when this host program is run.
  • The virus does not just copy itself, it can perform other actions such a deleting files, etc.
  • Most viruses often designed for specific operating systems, possibly specific hardware. They are designed to take advantage of the weaknesses of particular systems.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

What are the four phases of a virus?

A
  1. Dormant Phase - Virus is idle and waiting for an activation event, e.g. a date. Not all viruses have this stage
  2. Propagation Phase - Virus copies itself into other programs or system areas
  3. Triggering Phase - Virus is activated to perform an action. The trigger can be any number of events, such as a count of the number of times it has replicated
  4. Execution Phase - The action is performed. This can range from harmless such as a message, to destruction of data and programs
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Name 5 types of viruses

A
  1. Parasitic
  2. Memory Resident
  3. Boot Sector
  4. Stealth
  5. Polymorphic
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

What are worms?

A
  • A malicious program that replicates itself but does not require a host program. It is a stand-alone program.
  • It actively seeks to infect other machines.
  • Network worms use network connections to spread.
  • Exhibit similar characteristics (the phases of a virus).
  • Inn addition, once a worm is active it can perform a destructive action in the infected system.
  • One of the first worms was written at Xerox PARC: aprogram looking for idle processors assigning them tasks
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

What is a firewall?

A
  • A firewall is a machine standing between the local network and the Internet filtering out traffic that might be harmful
  • All traffic from inside to outside must pass through the firewall, which is achieved by physically blocking all access to the local network except via the firewall
  • Only authorized traffic, which is defined by the local security policy, will be allowed to pass
  • The firewall is immune to penetration.
  • A firewall defines a single choke point, this simplifies
    security management because the security capabilities are consolidated on a single system (or set of systems).
  • Audits and alarms can be implemented on the firewall
    system.The firewall can also be used for non-security related functions. For example Internet usage logs.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Name the three levels / types of firewalls

A

Filtering can be done at three levels

  1. Packet Filtering
  2. Circuit Gateway
  3. Application Gateway
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

What is Packet Filtering?

A
  • Data transmitted over the Internet is split into packets.
  • Each packet has a header containing several pieces of information including source and destination IP address.
  • The firewall applies a set of rules to the contents of the header from each IP packet.
  • Depending on the outcome of the rules, the firewall either forwards or discards the packet
  • Note packets can be filtered in both directions, (incoming and outgoing data).
17
Q

What is Application Level Filtering?

A
  • This firewall works as a proxy for one or more services.
  • It acts as an intermediary between the internal networkand the Internet. No direct communication between machines within
  • Works at the level of applications.
  • Examples include a mail filter that attempts to remove spam, or web proxies that block content.
  • Tends to be more secure than packet filters
18
Q

What is a Circuit- Level Gateway?

A
  • Acts as an intermediary, similar to the Application Gateway.
  • Not so in depth monitoring as Application-Level, it examines only packet address and port information
  • Data not requested from a machine within the firewall will be automatically discarded
  • Home DSL routers are typically of this type. Since it is easy to combine it with Internet sharing capabilities.
19
Q

What is a DMZ?

A
  • You can have more than one firewall in a system, first firewall creates a demilitarized zone (DMZ)
  • DMZ is then connected to internal networks via further filters
20
Q

Which two parts typically comprise a virus?

A
  1. a replication mechanism
  2. a payload
21
Q

What is a polymorphic virus?

A
  • Polymorphic - Creates copies of itself that are functionally equivalent but are different programs.
  • This is can be achieved by
  1. randomly inserting superfluous instructions and changing order of instructions.
  2. Encryption can be used to change the program.
  • A random key is generated by a part of the virus called the mutation Engine. This is used to encrypt the remainder of the virus.
  • The key is stored with the virus and the mutation engine is itself altered.
  • When the virus replicates, a different key is randomly chosen
22
Q

What is a Stealth Virus?

A
  • A type of virus that attempts to hide itself fromdetection.
  1. The virus may intercept I/O routines, so when these routines are called the virus presents back the original uninfected program details
  2. When a virus appends itself to a program, the file gets longer. So an infected program is easy to detect through the change in file size.
    • A stealth approach is to compress the host program such that the combined virus length and compressed host program length is the same as the original uninfected program.
    • The virus contains decompress capability so that the host program will execute properly once the virus itself has completed running.
23
Q

What is the payload of a virus?

A
  • This will usually be activated by a trigger, such as a date, and then do a number of bad things:
  • Make selective (or random) changes to the machine’s protection state
  • Make changes to user data
  • Lock the network
  • Install spyware or adware
  • Install a rootkit
24
Q

What is the most common way for a virus to replicate itself?

A
  • The most common way for a virus to replicate is to append itself to an executable file and patch itself in:
  • The execution path jumps to the virus code and then back o the original program
25
Q

What is a parasitic virus?

A

Most common type. It attaches itself to executable files and when the program is executed, the virus replicates by finding other executables to infect.

26
Q

What is a memory resident virus?

A

Remains in main memory and infects
every program that executes

27
Q

What is a boot sector virus?

A

Spread whenever a system is booted from a disk containing the virus. This virus infects the master boot record.

28
Q

Name the three levels countermeasures act on once a virus has entered a system

A
  • Detection, determine that a virus is in the system and locate it.
  • Identification, Identify the specific virus
  • Removal, Once identified remove all traces of the virus code and restore the infected host program(s) to their original state.
29
Q

What are two advanced antivirus techniques?

A
  • Generic Decryption
  • Digital Immune System
30
Q

What is Behaviour Blocking?

A
  • It is software that monitors program behaviour in real-time for malicious actions. It then blocks the action before it can do any damage.
  • Monitored behaviour includes
    • Attempts to open, edit or delete files
    • Attempts to format disk drives and other unrecoverable disk
    • operations
    • Attempts to modify critical system settings such as startup
    • settings
    • Attempts to modify executable files scripts and macros
    • attempts to send executable files via email or instant
    • messaging
    • Attempts to initiate network communications
    • The software not just block actions it can also terminate the
    • program that is initiating the actions
31
Q

What is Generic Decryption?

A
  • Generic Decryption is used to identify complex polymorphic viruses that use encryption to disguise themselves.
  • It does this by having a complete software based virtual computer.
  • A program to be scanned , is executed within this emulator.
  • If the program contains a polymorphic virus, then at some point the main body of the viruses will be decrypted
  • Periodically the emulator will be halted and the code is scanned for virus signatures.
  • The actual computer is safe because the code is being run in a completely controlled environment
32
Q

What is a digital immune system?

A

Objective is to provide fast response times so that novel
viruses can be detected and removed as soon as they
introduced

  1. Each client machine has its own virus monitoring program. This program forwards any program deemed to besuspicious to an administration machine
  2. The administration machine sends via encryption the program to a central virus analysis machine
  3. This machine then runs the program in a protected environment and monitors it. It then produces a prescription for identifying and removing the virus
  4. This prescription is sent back to the administrative machine which in turn, sends it to the infected machine, and all the other machines in the network.
  5. The virus analysis machine also sends this prescription to other organisations. Individual subscribers would also receive this prescription with the next antivirus update.

Information Security (11 decks)

Brainscape helps you reach your goals faster, through stronger study habits.
© 2024 Bold Learning Solutions. Terms and Conditions